TLS Working Group T. Putman
Internet-Draft Dyson Technology
Intended status: Informational November 30, 2017
Expires: June 3, 2018
ECDH-based Authentication using Pre-Shared Asymmetric Keypairs for
(Datagram) Transport Layer Security ((D)TLS) Protocol version 1.2
draft-putman-tls-preshared-ecdh-00
Abstract
This document defines a new mutual authentication method for the
Transport Layer Security (TLS) protocol version 1.2. The
authentication method requires that the client and server are each
pre-provisioned with a unique asymmetric Elliptic Curve Diffie-
Hellman (ECDH) keypair and with the public ECDH key of the peer. The
handshake provides ephemeral ECDH keys, and a premaster key is agreed
using Double- or Triple-ECDH; confirmation of possession of this key
provides mutual authentication. Multiple new cipher suites which use
this authentication method are specified.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 3, 2018.
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
Putman Expires June 3, 2018 [Page 1]
Internet-Draft Preshared ECDH Key Auth for TLS 1.2 November 2017
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Rationale for Choice of Authentication Algorithm . . . . 3
1.2. Specified Cipher Suites . . . . . . . . . . . . . . . . . 3
1.3. Applicability Statement . . . . . . . . . . . . . . . . . 4
1.4. Client Impact Compared to Alternatives . . . . . . . . . 4
1.5. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5
2. 2ECDH and 3ECDH Key Exchange Algorithm . . . . . . . . . . . 5
3. Conformance Requirements . . . . . . . . . . . . . . . . . . 8
3.1. PSK Identity Encoding . . . . . . . . . . . . . . . . . . 9
3.2. PSK Identity Protection . . . . . . . . . . . . . . . . . 9
3.3. Identity Hint . . . . . . . . . . . . . . . . . . . . . . 9
3.4. Requirements for TLS Implementations . . . . . . . . . . 10
3.5. Requirements for Management Interfaces . . . . . . . . . 10
4. Cryptographic Operations . . . . . . . . . . . . . . . . . . 10
4.1. Computing the Premaster Secrets . . . . . . . . . . . . . 10
4.2. Computing the Master Secrets . . . . . . . . . . . . . . 12
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
7. Security Considerations . . . . . . . . . . . . . . . . . . . 13
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
8.1. Normative References . . . . . . . . . . . . . . . . . . 14
8.2. Informative References . . . . . . . . . . . . . . . . . 15
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 17
1. Introduction
Often, constrained devices use pre-shared keys (PSK) for
authentication and key agreement. A drawback of this is that if the
server database of pre-shared keys is compromised, then this means
that not only can the server be impersonated to the clients, but also
the symmetric nature of the keys means that the clients can be
impersonated to the server.
In consequence, a large-scale database compromise can result in
large-scale client impersonation. This would be very hard to recover
from because any remote update to the clients risks providing the
updated information to an adversary.
This document describes the use of asymmetric pre-shared keys to
address this data-loss scenario. It is intended to replace the use
Putman Expires June 3, 2018 [Page 2]
Internet-Draft Preshared ECDH Key Auth for TLS 1.2 November 2017
of symmetric pre-shared keys, so it should only be used in the same
rather limited set of deployments. It assumes that an OOB method of
pre-configuring the asymmetric keys into the endpoints exists, and
this method is outside the scope of this document.
Another advantage of using asymmetric keys is that it is easier to
protect a single server private key using hardware security than it
is to protect a database of shared symmetric keys.
1.1. Rationale for Choice of Authentication Algorithm
In TLS 1.2 [RFC5246], all cipher suites except those based on PSK
require perfect forward secrecy (PFS), which in turn requires (at
present) either Diffie-Hellman or Elliptic Curve Diffie-Hellman. The
authenticated key-agreement methods introduced in this document are
primarily for use by constrained devices, so only Elliptic Curve
algorithms are considered.
In order to be usable by as many constrained devices as possible,
this proposal uses only a single algorithm, namely the ECDH
algorithm. Even if the device contains code for other public key
algorithms (e.g. EdDSA for code update signature checking), these
may be coded to use a slow variant of the algorithm to conserve code
and data space.
Double-ECDH [Blake-Wilson] could be used for authenticated key
agreement, but this would not provide PFS. PFS can be provided by
using Triple-ECDH [Kudla] with no change to the protocol messages; it
only adds to the cost of computing the session key by adding one
additional ECDH computation.
In order to break PFS in Double-ECDH, the attacker must obtain the
static ECDH private keys of both client and server. This is likely
to be a difficult feat, so both Dual- and Triple-ECDH are specified
in this document.
Perfect Forward Secrecy (PFS) is a strongly recommended feature in
security protocol design and is mandatory to implement in both HTTP/2
[RFC7540] and (for non-PSK deployments) CoAP [RFC7252]. Therefore,
Triple-ECDH SHOULD be used for those deployments where the client
devices are able to support the additional computation.
1.2. Specified Cipher Suites
This document specifies the new Double-ECDH and Triple-ECDH
authentication algorithms together with a number of existing AEAD
cipher algorithms, namely AES-GCM [RFC5288], AES-CCM [RFC6655] and
Putman Expires June 3, 2018 [Page 3]
Internet-Draft Preshared ECDH Key Auth for TLS 1.2 November 2017
ChaCha20-Poly1305 [RFC7905], as well as with the NULL cipher from TLS
1.2 [RFC5246]. A summary of these cipher suites is shown below.
+-----------------------------------------+-------------------------+
| Cipher Suite | Authenticated Key |
| | Agreement |
+-----------------------------------------+-------------------------+
| TLS_2ECDH_WITH_AES_128_GCM_SHA256 | Double-ECDH |
| TLS_2ECDH_WITH_AES_256_GCM_SHA384 | Double-ECDH |
| TLS_2ECDH_WITH_AES_128_CCM_8_SHA256 | Double-ECDH |
| TLS_2ECDH_WITH_AES_128_CCM_SHA256 | Double-ECDH |
| TLS_2ECDH_WITH_NULL_SHA256 | Double-ECDH |
| TLS_2ECDH_WITH_NULL_SHA384 | Double-ECDH |
| TLS_2ECDH_WITH_CHACHA20_POLY1305_SHA256 | Double-ECDH |
| TLS_3ECDH_WITH_AES_128_GCM_SHA256 | Triple-ECDH |
| TLS_3ECDH_WITH_AES_256_GCM_SHA384 | Triple-ECDH |
| TLS_3ECDH_WITH_AES_128_CCM_8_SHA256 | Triple-ECDH |
| TLS_3ECDH_WITH_AES_128_CCM_SHA256 | Triple-ECDH |
| TLS_3ECDH_WITH_NULL_SHA256 | Triple-ECDH |
| TLS_3ECDH_WITH_NULL_SHA384 | Triple-ECDH |
| TLS_3ECDH_WITH_CHACHA20_POLY1305_SHA256 | Triple-ECDH |
+-----------------------------------------+-------------------------+
1.3. Applicability Statement
The cipher suites defined in this document are intended for a narrow
set of applications, where there is a well-established relationship
between clients and servers and where, in addition, there are severe
constraints on the client capabilities. Even in such deployments,
other alternatives may be more appropriate.
If the loss of server data is not of concern, then the PSK [RFC4279]
or ECDHE_PSK [RFC5489] cipher suites may be more appealing. If the
main goal is to avoid Public-Key Infrastructures (PKIs), then the use
of raw public keys [RFC7250] may be preferrable.
If the relationship between client and server is not close, for
example if the client enrols with the server, then a password-based
cipher suite such as SRP [RFC5054] or Dragonfly
[I-D.harkins-tls-dragonfly] may result in lower management overheads.
1.4. Client Impact Compared to Alternatives
Compared with PSK, the use of asymmetric keys doubles the number of
keys that a client must be configured with: each client must have a
unique private key and must also have a corresponding server public
key. In addition, the ECDH keys are approximately twice as large as
the symmetric keys of equivalent cryptographic strength.
Putman Expires June 3, 2018 [Page 4]
Internet-Draft Preshared ECDH Key Auth for TLS 1.2 November 2017
The client also needs its public key for premaster secret generation.
This can either be preconfigured or it may be generated from the
private key and the generator (the latter may reside in code space).
This is a time-space tradeoff.
The client using Double- or Triple ECDH must perform two (resp.
three) public key operations: this is two (resp. three) more than is
used for PSK authentication; it is one (resp. two) more than is used
for ECDHE_PSK authentication, and it is one fewer (resp.
approximately that same) as is used for a client-authenticated ECDHE
exchange for other schemes.
As the keys are pre-shared, there is no need for the Certificate or
CertificateVerify handshake messages to be sent. This saves a
considerable amount of data in the handshake exchange which helps to
make the protocol more robust in deployments which have unreliable
network connectivity.
1.5. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119] and
[RFC8174].
2. 2ECDH and 3ECDH Key Exchange Algorithm
This section defines the key exchange algorithm and associated cipher
suites which are used for 2ECDH and 3ECDH. It is assumed that the
reader is familiar with the ordinary TLS handshake, shown below. The
elements in parenthesis are not included when the 2ECDH or 3ECDH key
exchange algorithm is used. The message exchange is identical to
that used for the DHE_PSK handshake defined in Pre-Shared Key
Ciphersuites for TLS [RFC4279], though the message contents differ a
little.
Putman Expires June 3, 2018 [Page 5]
Internet-Draft Preshared ECDH Key Auth for TLS 1.2 November 2017
Client Server
------ ------
ClientHello -------->
ServerHello
(Certificate)
ServerKeyExchange
(CertificateRequest)
ChangeCipherSpec
Application Data
The client indicates its willingness to use 2ECDH or 3ECDH
authentication by including one or more corresponding cipher suites
in the ClientHello message. If the TLS server also wants to use
2ECDH or 3ECDH, it selects one of the corresponding cipher suites,
places the selected cipher suite in the ServerHello message, and
includes an appropriate ServerKeyExchange message. The Certificate
and CertificateRequest payloads are omitted from the response.
The server will have to establish sessions with multiple clients and
so will have multiple client ECDH public keys. The client indicates
which key to use by including an encrypted "PSK identity" in the
ClientKeyExchange message. To help the client in selecting which
identity to use, the server can provide an unencrypted "PSK identity
hint" in the ServerKeyExchange message.
The client may have static ECDH keypairs on more than one curve
associated with the same PSK Identity. For example, during a
transition to a more secure curve, there will likely be a period when
both curves are supported. The client MUST have only a single static
ECDH keypair per curve for a given PSK Identity.
The server, which here means a server endpoint hosting the TLS
functionality, may similarly have static ECDH keypairs on more than
one curve. The server MUST have only a single static ECDH keypair
per curve. This does not prevent a single physical device from
having multiple static ECDH keypairs on a single curve, but if this
is done then each MUST be associated with a different TLS endpoint.
The client SHOULD include the Supported Elliptic Curves Extension in
the ClientHello message, listing all curves for which it holds a
Putman Expires June 3, 2018 [Page 6]
Internet-Draft Preshared ECDH Key Auth for TLS 1.2 November 2017
static ECDH private key. If it lists other ECDH-related cipher
suites in the list of supported cipher suites, then there is a risk
that the server will select a 2ECDH- or 3ECDH- cipher suite using a
curve which does not correspond to a key the client holds. In this
case, the client should restart the handshake, omitting the selected
curve from the Supported Elliptic Curves extension. Such an
occurrence is expected to be rare, as there is no reason to suggest
other cipher suites if the client knows that the server supports the
2ECDH- or 3ECDH- cipher suites.
In order to comply with [I-D.ietf-tls-rfc4492bis], the client and
server MUST only use the uncompressed format for ECDH public keys.
The client and server SHOULD include the Supported Point Formats
Extension in the ClientHello (resp. ServerHello) message indicating
support for only the uncompressed format.
The cipher suites in this document apply only to TLS 1.2. The server
MUST NOT select any of these cipher suites if a different TLS version
is being negotiated.
The ServerKeyExchange and ClientKeyExchange messages also include the
Elliptic Curve Diffie-Hellman parameters for the ephemeral keys.
Note that the ECDH curve parameters MUST be those of the selected
pre-shared asymmetric key.
The format of the ServerKeyExchange and ClientKeyExchange messages is
shown below.
Putman Expires June 3, 2018 [Page 7]
Internet-Draft Preshared ECDH Key Auth for TLS 1.2 November 2017
struct {
select (KeyExchangeAlgorithm) {
/* other cases for rsa, diffie_hellman, etc. */
case 2ec_diffie_hellman: /* NEW */
opaque psk_identity_hint<0..2^16-1>;
ServerECDHParams params;
case 3ec_diffie_hellman: /* NEW */
opaque psk_identity_hint<0..2^16-1>;
ServerECDHParams params;
};
} ServerKeyExchange;
struct {
select (KeyExchangeAlgorithm) {
/* other cases for rsa, diffie_hellman, etc. */
case 2ec_diffie_hellman: /* NEW */
opaque encrypted_psk_identity<0..2^16-1>;
ClientECDiffieHellmanPublic public;
case 3ec_diffie_hellman: /* NEW */
opaque encrypted_psk_identity<0..2^16-1>;
ClientECDiffieHellmanPublic public;
} exchange_keys;
} ClientKeyExchange;
The structures ServerECDHParams and ClientECDiffieHellmanPublic are
the same as defined in [I-D.ietf-tls-rfc4492bis]. The semantics of
psk_identity_hint is given in section Section 3.3. The contents of
encrypted_psk_identity is defined in Section 3.1 and Section 3.2.
3. Conformance Requirements
It is expected that different types of identities are useful for
different applications running over TLS. This document does not
therefore mandate the use of any particular type of identity (such as
IPv4 address or Fully Qualified Domain Name (FQDN)).
However, the TLS client and server clearly have to agree on the
identities and keys to be used. To improve interoperability, this
document places requirements on how the identity is encoded in the
protocol, and what kinds of identities and keys implementations have
to be supported.
The requirements for implementations are divided into two categories,
requirements for TLS implementations and management interfaces. In
this context, "TLS implementation" refers to a TLS library or module
that is intended to be used for several different purposes, while
"management interface" would typically be implemented by a particular
application that uses TLS.
Putman Expires June 3, 2018 [Page 8]
Internet-Draft Preshared ECDH Key Auth for TLS 1.2 November 2017
This document does not specify how the server stores the keys and
identities, or how exactly it finds the key corresponding to the
identity it receives. For instance, if the identity is a domain
name, it might be appropriate to do a case-insensitive lookup. It is
RECOMMENDED that before looking up the key, the server processes the
PSK identity with a PRECIS framework (see [RFC7564]) appropriate for
the identity in question (such as [RFC5891] for components of domain
names or [RFC8265] for usernames).
3.1. PSK Identity Encoding
The PSK identity MUST be first converted to a character string, and
then encoded to octets using UTF-8 [RFC3629]. For instance,
o IPv4 addresses are sent as dotted-decimal strings (e.g.
"192.0.2.1"), not as 32-bit integers in network byte order.
o Domain names are sent in their usual text form [RFC1035] (e.g.
"www.example.com" or "embedded\.dot.example.net"), not in DNS
protocol format.
o X.500 Distinguished Names are sent in their string representation
[RFC4514], not as BER-encoded ASN.1.
This encoding is clearly not optimal for many types of identities.
It was chosen to avoid identity-type-specific parsing and encoding
code in implementations where the identity is configured by a person
using some kind of management interface. Requiring such identity-
type-specific code would also increase the chances for
interoperability problems resulting from different implementations
supporting different identity types.
3.2. PSK Identity Protection
The PSK Identity MUST be encrypted with the selected authenticated
encryption algorithm using the client_write_key derived from the
pskid_master_secret described in section 4.2. The
GenericAEADCipher.nonce_explicit is a sequence of zero octets of the
length appropriate for the cipher and there is no "additional data".
3.3. Identity Hint
In the absence of an application profile specification specifying
otherwise, servers SHOULD NOT provide an identity hint and clients
MUST ignore the identity hint field. Applications that do use this
field MUST specify its contents, how the value is chosen by the TLS
server, and what the TLS client is expected to do with the value.
Putman Expires June 3, 2018 [Page 9]
Internet-Draft Preshared ECDH Key Auth for TLS 1.2 November 2017
3.4. Requirements for TLS Implementations
TLS implementations supporting these cipher suites MUST support
arbitrary PSK Identities up to 128 octets in length, and MUST support
P-256. Supporting longer identities and other ECDH curves is
RECOMMENDED.
3.5. Requirements for Management Interfaces
In the absence of an application profile specification specifying
otherwise, a management interface for entering the pre-shared
private/public keys, and/or PSK Identity MUST support the following:
o Entering PSK identities consisting of up to 128 printable Unicode
characters. Supporting as wide a character repertoire and as long
identities as feasible is RECOMMENDED.
o Entering the elliptic curve or curves which are supported together
with the corresponding generator(s).
o Entering pre-shared private and public keys in uncompressed form
with each co-ordinate being up to 32 octets in length in
hexadecimal encoding. Supporting compressed forms and longer co-
ordinates is RECOMMENDED. The interface SHOULD validate the key
which was entered, if possible; that is, check that a private key
is in the correct range and that a public key is a point on the
curve in the correct subgroup.
4. Cryptographic Operations
Two different premaster secrets and their corresponding master
secrets are computed for this handshake. The first is to encrypt/
decrypt the PSK Identity and the second is for use in the actual TLS
session. Both of these use similar algorithms, though they differ in
the algorithm parameters.
4.1. Computing the Premaster Secrets
The structure for all premaster secrets for this document is the
same, namely:
struct {
opaque ephemeral_ecdh<0..2^16-1>;
opaque client_static_ephemeral_ecdh<0..2^16-1>;
opaque server_static_ephemeral_ecdh<0..2^16-1>;
opaque client_static_ecdh<0..2^16-1>;
opaque server_static_ecdh<0..2^16-1>;
};
Putman Expires June 3, 2018 [Page 10]
Internet-Draft Preshared ECDH Key Auth for TLS 1.2 November 2017
The elements of this struct are populated differently, depending on
both the cipher suite which has been selected and on the premaster
key which is being constructed.
All ECDH computations are carried out as described in section 5.10 of
[I-D.ietf-tls-rfc4492bis]. The public key validation described in
section 5.11 of [I-D.ietf-tls-rfc4492bis] MUST always be carried out;
for X25519 and X448, the receiving party check MUST be applied to
each ECDH computation, not just to the overall premaster secret.
All computations use the same curve, which is indicated in
ServerECDHParams, so they all result in an output string of the same
known length. For those elements of the premaster secret struct
which do not involve an ECDH computation, the element is the same
length as the ECDH output and is filled with zero bytes.
For all cipher suites which use Double-ECDH, the ephemeral_ecdh
element is constructed as a uint16 containing the length of the ECDH
output followed by that number of zero bytes. For all cipher suites
which use Triple-ECDH, the ephemeral_ecdh element is constructed as a
uint16 containing the length of the ECDH output followed by the octet
string which is the output of the ECDH computation using both
ephemeral ECDH keys.
The client_static_ephemeral_ecdh element for the premaster secret
which is used to derive keys to protect the PSK Identity is
constructed as a uint16 containing the length of the ECDH output
followed by that number of zero bytes. The
client_static_ephemeral_ecdh element for the premaster secret which
is used to derive keys for the TLS session is constructed as a uint16
containing the length of the ECDH output followed by the octet string
which is the output of the ECDH computation using the client's static
(pre-shared) ECDH key and the server's ephemeral ECDH key.
For all cipher suites specified in this document, the
server_static_ephemeral_ecdh element is constructed as a uint16
containing the length of the ECDH output followed by the octet string
which is the output of the ECDH computation using the server's static
(pre-shared) ECDH key and the client's ephemeral ECDH key.
The client_static_ecdh and server_static_ecdh keys are not present in
the message exchange, so they are included here to mix them into the
session key. They are represented in the same way as all the other
results, namely as the x-coordinate of the public key represented as
an octet string (with leading zeros included). The
server_static_ecdh key is alway present, but the client_static_ecdh
key is replaced by a sequence of zeros in the premaster secret
structure which is used to derive keys to protect the PSK Identity.
Putman Expires June 3, 2018 [Page 11]
Internet-Draft Preshared ECDH Key Auth for TLS 1.2 November 2017
4.2. Computing the Master Secrets
The algorithm which is used to convert the pre_master_secret for
protecting the PSK Identity into the corresponding master_secret uses
a similar construction to that used for the TLS session master key.
pskid_master_secret = PRF(pskid_premaster_secret, "psk identity",
ClientHello.random + ServerHello.random)
[0..47];
The pskid_premaster_secret does not need to be deleted from memory
once the pskid_master_secret has been computed: it may be retained
for use in constructing the premaster_secret for the TLS session. It
SHOULD be deleted either when the TLS session premaster_secret is
deleted or if the handshake exchange is terminated early for some
reason.
The algorithm which is used to convert the premaster_secret for the
TLS session to the corresponding master secret is the standard TLS
1.2 method described in section 8.1 of [RFC5246].
5. Acknowledgements
The document structure is based heavily on [RFC4279] and a fair
amount of text was copied from that, so the author would like to
thank the authors of that RFC, namely Pasi Eronen, Hannes Tschofenig,
Mohamad Badra, Omar Cherkaoui, Ibrahim Hajjeh and Ahmed Serhrouchni.
The idea of encrypting the PSK Identity, though not the method, was
borrowed from [I-D.harkins-tls-dragonfly], so the author would also
like to thank Dan Harkins.
6. IANA Considerations
This document defines the following new cipher suites, whose values
have been assigned in the TLS Cipher Suite Registry defined by
[RFC5246].
Putman Expires June 3, 2018 [Page 12]
Internet-Draft Preshared ECDH Key Auth for TLS 1.2 November 2017
TLS_2ECDH_WITH_AES_128_GCM_SHA256 = {0xTBD; 0xTBD}
TLS_2ECDH_WITH_AES_256_GCM_SHA384 = {0xTBD; 0xTBD}
TLS_2ECDH_WITH_AES_128_CCM_8_SHA256 = {0xTBD; 0xTBD}
TLS_2ECDH_WITH_AES_128_CCM_SHA256 = {0xTBD; 0xTBD}
TLS_2ECDH_WITH_NULL_SHA256 = {0xTBD; 0xTBD}
TLS_2ECDH_WITH_NULL_SHA384 = {0xTBD; 0xTBD}
TLS_2ECDH_WITH_CHACHA20_POLY1305_SHA256 = {0xTBD; 0xTBD}
TLS_3ECDH_WITH_AES_128_GCM_SHA256 = {0xTBD; 0xTBD}
TLS_3ECDH_WITH_AES_256_GCM_SHA384 = {0xTBD; 0xTBD}
TLS_3ECDH_WITH_AES_128_CCM_8_SHA256 = {0xTBD; 0xTBD}
TLS_3ECDH_WITH_AES_128_CCM_SHA256 = {0xTBD; 0xTBD}
TLS_3ECDH_WITH_NULL_SHA256 = {0xTBD; 0xTBD}
TLS_3ECDH_WITH_NULL_SHA384 = {0xTBD; 0xTBD}
TLS_3ECDH_WITH_CHACHA20_POLY1305_SHA256 = {0xTBD; 0xTBD}
NOTE TO THE RFC EDITOR: PLEASE REMOVE THIS PARAGRAPH. Please replace
each instance of {0xTBD; 0xTBD} with the appropriate IANA-assigned
values. All cipher suites are suitable for DTLS and none is IETF-
recommended.
7. Security Considerations
The security considerations in TLS 1.2 [RFC5246], DTLS 1.2 [RFC6347],
ECC Cipher Suites for TLS (including Curve25519 and Curve448)
[I-D.ietf-tls-rfc4492bis], AES-GCM [RFC5288], AES-CCM [RFC6655] and
ChaCha20-Poly1305 [RFC7905] apply to this document as well.
The Double- and Triple-Diffie-Hellman authenticated key exchange is
not particularly new, but it has not seen wide usage. Triple-ECDH is
used in the Signal protocol [Marlinspike] and a security proof of
both in a modified form of the Bellare-Rogaway model is provided in
[Kudla]; this latter paper also proves strong partnering in the
random oracle model.
The TLS 1.2 protocol is more complex than the protocol used in the
above proof, but no additional constraints are made on the components
of the proof. All the material which is used to compose the key in
the proof is also used in constructing the Finished messages: the
ephemeral public keys form part of the handshake messages and the
remaining material is used in the construction of the premaster
secret. Therefore, the security proof also holds for the protocol as
described in this document.
The security of the PSK Identity is weaker than that of the completed
protocol: it does not have any verified client information in the
keying material. Therefore an attacker who knows the server public
key may impersonate a client when sending a client key exchange
Putman Expires June 3, 2018 [Page 13]
Internet-Draft Preshared ECDH Key Auth for TLS 1.2 November 2017
message; this is no different to the PSK cipher suites and does not
affect the security of the completed handshake.
Because a PSK Identity can be forged, the server should ensure that
there are no PSK Identity retrievals which are more expensive than
other operations in this protocol; this is to mitigate DoS attacks.
Additionally, if there are differences in the lookup time of a PSK
Identity (e.g. if recent lookups are cached), then an attacker may be
able to obtain information about the PSK Identity of a recent
handshake from timing attacks.
The NULL cipher suites do not provide confidentiality, so these must
not be used in situations where sensitive or private data (e.g.
passwords) is tranmitted. The cipher suite used for protecting the
PSK Identity is the same as that used for protecting the TLS session.
If NULL encryption is chosen for the session, then the PSK Identity
is not confidential either.
As with the PSK cipher suites, these protocols make use of hidden
information in the construction of the keying material. This means
that the cipher suites are quantum-safe in the event of storage of
the message exchange for later attack, provided that the client and/
or server static public keys (the pre-provisioned keys) remain
unknown to the eavesdropper.
The overall security level of the solution depends on the security of
the cipher suite together with the security of the Elliptic Curve
chosen for the pre-shared key. The curve and the cipher suite SHOULD
be chosen to have approximately the same security level so that the
processing load on the client is minimised for a required security
level. For example, X25519 (128 bits of security) could be the
chosen ECDH algorithm for use with the
TLS_3ECDH_WITH_AES_128_CCM_8_SHA256 cipher suite.
8. References
8.1. Normative References
[I-D.ietf-tls-rfc4492bis]
Nir, Y., Josefsson, S., and M. Pegourie-Gonnard, "Elliptic
Curve Cryptography (ECC) Cipher Suites for Transport Layer
Security (TLS) Versions 1.2 and Earlier", draft-ietf-tls-
rfc4492bis-17 (work in progress), May 2017.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
.
Putman Expires June 3, 2018 [Page 14]
Internet-Draft Preshared ECDH Key Auth for TLS 1.2 November 2017
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
2003, .
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246,
DOI 10.17487/RFC5246, August 2008,
.
[RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois
Counter Mode (GCM) Cipher Suites for TLS", RFC 5288,
DOI 10.17487/RFC5288, August 2008,
.
[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347,
January 2012, .
[RFC6655] McGrew, D. and D. Bailey, "AES-CCM Cipher Suites for
Transport Layer Security (TLS)", RFC 6655,
DOI 10.17487/RFC6655, July 2012,
.
[RFC7905] Langley, A., Chang, W., Mavrogiannopoulos, N.,
Strombergson, J., and S. Josefsson, "ChaCha20-Poly1305
Cipher Suites for Transport Layer Security (TLS)",
RFC 7905, DOI 10.17487/RFC7905, June 2016,
.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, .
8.2. Informative References
[Blake-Wilson]
Blake-Wilson, S., Johnson, D., and A. Menezes, "Key
Agreement Protocols and their Security Analysis",
Cryptography and Coding volume 1355 of LNCS, 1997.
[I-D.harkins-tls-dragonfly]
Harkins, D., "Secure Password Ciphersuites for Transport
Layer Security (TLS)", draft-harkins-tls-dragonfly-02
(work in progress), August 2017.
Putman Expires June 3, 2018 [Page 15]
Internet-Draft Preshared ECDH Key Auth for TLS 1.2 November 2017
[Kudla] Kudla, C. and K. Paterson, "Modular Security Proofs for
Key Agreement Protocols", Advances in Cryptology ASIACRYPT
2005: 11th International Conference on the Theory and
Application of Cryptology and Information Security, 2005,
.
[Marlinspike]
Marlinspike, M. and T. Perrin, "The X3DH Key Agreement
Protocol", November 2016,
.
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
November 1987, .
[RFC4279] Eronen, P., Ed. and H. Tschofenig, Ed., "Pre-Shared Key
Ciphersuites for Transport Layer Security (TLS)",
RFC 4279, DOI 10.17487/RFC4279, December 2005,
.
[RFC4514] Zeilenga, K., Ed., "Lightweight Directory Access Protocol
(LDAP): String Representation of Distinguished Names",
RFC 4514, DOI 10.17487/RFC4514, June 2006,
.
[RFC5054] Taylor, D., Wu, T., Mavrogiannopoulos, N., and T. Perrin,
"Using the Secure Remote Password (SRP) Protocol for TLS
Authentication", RFC 5054, DOI 10.17487/RFC5054, November
2007, .
[RFC5489] Badra, M. and I. Hajjeh, "ECDHE_PSK Cipher Suites for
Transport Layer Security (TLS)", RFC 5489,
DOI 10.17487/RFC5489, March 2009,
.
[RFC5891] Klensin, J., "Internationalized Domain Names in
Applications (IDNA): Protocol", RFC 5891,
DOI 10.17487/RFC5891, August 2010,
.
[RFC7250] Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J.,
Weiler, S., and T. Kivinen, "Using Raw Public Keys in
Transport Layer Security (TLS) and Datagram Transport
Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250,
June 2014, .
Putman Expires June 3, 2018 [Page 16]
Internet-Draft Preshared ECDH Key Auth for TLS 1.2 November 2017
[RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained
Application Protocol (CoAP)", RFC 7252,
DOI 10.17487/RFC7252, June 2014,
.
[RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext
Transfer Protocol Version 2 (HTTP/2)", RFC 7540,
DOI 10.17487/RFC7540, May 2015,
.
[RFC7564] Saint-Andre, P. and M. Blanchet, "PRECIS Framework:
Preparation, Enforcement, and Comparison of
Internationalized Strings in Application Protocols",
RFC 7564, DOI 10.17487/RFC7564, May 2015,
.
[RFC8265] Saint-Andre, P. and A. Melnikov, "Preparation,
Enforcement, and Comparison of Internationalized Strings
Representing Usernames and Passwords", RFC 8265,
DOI 10.17487/RFC8265, October 2017,
.
Author's Address
Tony Putman
Dyson Technology
Malmesbury SN16 0RP
UK
Email: tony.putman@dyson.com
Putman Expires June 3, 2018 [Page 17]